CVE-2019-18582

Published: Mar 18, 2020Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to inject malicious report generation scripts in the server. This may lead to OS command execution as the regular user runs the DPA service on the affected system.

Affected (11)

Products: Dell: Emc Data Protection Advisor, Emc Integrated Data Protection Appliance Firmware

Dell

2 products

Emc Data Protection Advisor

Emc Integrated Data Protection Appliance Firmware

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Dell Emc Data Protection Advisor	Version 18.1
Dell Emc Data Protection Advisor	Version 18.2
Dell Emc Data Protection Advisor	Version 19.1
Dell Emc Data Protection Advisor	Version 6.3
Dell Emc Data Protection Advisor	Version 6.4
Dell Emc Data Protection Advisor	Version 6.5

Configuration B

5 vulnerable · 4 platform

Vulnerable Software	Affected Versions
Dell Emc Integrated Data Protection Appliance Firmware	Version 2.0
Dell Emc Integrated Data Protection Appliance Firmware	Version 2.1
Dell Emc Integrated Data Protection Appliance Firmware	Version 2.2
Dell Emc Integrated Data Protection Appliance Firmware	Version 2.3
Dell Emc Integrated Data Protection Appliance Firmware	Version 2.4

Running on/with	Platform Versions
Dell Emc Idpa Dp4400	All versions
Dell Emc Idpa Dp5800	All versions
Dell Emc Idpa Dp8300	All versions
Dell Emc Idpa Dp8800	All versions

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities

Source: security_alert@emc.com

Vendor Advisory

https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.